Solved: Re: How to add multiple rows while creating Incide...

aditsss · ‎03-31-2021

Hi Everyone,

I have one requirement.

I am creating Incident through splunk alerts using SAHARA.

This issue I am facing is:

Below is my query:

index=abc ns=xyz|stats count by app_name|eval f1="khus"

The result of the query is this:

app_name f1

abc khus

xyx khus

But when I creating incident I am only getting first row in my incident not the second row

I have passed like this in unique ID

$result.app_name$ $result.f1$

Can someone guide me on this

manjunathmeti · ‎03-31-2021

You can attach results as csv file OR make fields multivalued so that all the events fit into on erow.

index=abc  ns=xyz | stats count by app_name | eval f1="khus" | stats values(*) as *

View solution in original post

manjunathmeti · ‎03-31-2021

hi @aditsss,

You can set Trigger to For each result under Trigger Conditions on the alert edit page.

If this reply helps you, a like would be appreciated.

aditsss · ‎03-31-2021

@manjunathmeti

In this way 2 Incidents are created for each row.

I want only one Incident should be there and 2nd should be append to it.

Because they are from the same result .

Can you guide me is that possible

manjunathmeti · ‎03-31-2021

You can attach results as csv file OR make fields multivalued so that all the events fit into on erow.

index=abc  ns=xyz | stats count by app_name | eval f1="khus" | stats values(*) as *

aditsss · ‎03-31-2021

@manjunathmeti

I cant use csv or I can append result in single row because these are Exception messages and ol will be different.

There could be 15 rows also.

Is there any way that if search alert result in 5 rows

one incident will be created and all the 5 rows will be appended to it.

Is any functionality there .

manjunathmeti · ‎03-31-2021

Yes you can, try this:

index=abc  ns=xyz | stats count by app_name | eval f1="khus" | streamstats count as temp | eval temp=floor(count/5) | stats values(*) as * by temp | fields - temp

aditsss · ‎03-31-2021

@manjunathmeti

I tried with this query as well:

I am still getting 3 rows

manjunathmeti · ‎03-31-2021

index=abc  ns=blazegateway|stats count by app_name | eval f1="khushi" | streamstats count as temp | eval temp=floor(count/3) | stats list(*) as * by temp | fields - temp

Post some data if you don't get result as you expect.

aditsss · ‎03-31-2021

@manjunathmeti

with this query also I am getting 3 rows.

Is that possible that I can create one incident and then append rest of the rows in it.

aditsss · ‎04-01-2021

@manjunathmeti

I want like if 2 rows are coming in search result for alert then both rows should come in same incident

Suppose these are the result I am getting:

F1 appname

k d

c g

Then when creating incident in uniquefield when I type $result.F1$ $result.appname$

Then both F1 and appname should come on same incident

But currently I am getting only one in incident

Can you guide me on this

How to add multiple rows while creating Incident through splunk

chart

simple XML

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!